Security researchers have warned that many ‘smart city’ kiosks and interactive terminals can be easily hacked, allowing attackers to steal credentials and payment data and install malware.
Kaspersky Lab tested a number of information kiosks, self-service ticketing machines, infotainment terminals in taxis and even bike rental machines to check their cyber defenses.
The firm said these devices may become popular targets for cybercriminals because of a perfect storm of their being always on; having a high user trust level; being connected to the internet and each other; and processing sensitive user data including financial details.
It claimed it’s relatively easy for an attacker to manipulate the terminal to exit the ‘kiosk’ mode and access the OS and all the data stored on it.
This can be done via “tap fuzzing” – ie tapping the corners of the screen – or data fuzzing, where data is entered incorrectly in order to bring up an OS error window.
Another technique to access the machine’s OS is to click on any external links that may have been accidentally left in by the developer.
In one scenario, the researchers explained how they could hack an Android-based taxi cab infotainment device.
“In those terminals that we were able to analyze, there was hidden text on the main screen. It can be selected using standard Android tools using a context menu. This leads to the search option being activated on the main screen,” they explained.
“As a result, the shell stops responding, terminates and the device is automatically restarted. While the device is starting, all the hacker needs to do is exit to the main menu at the right time and open the RootExplorer – an Android OS file manager.”
From here the hacker can access the device OS and even the on-board camera.
Kaspersky Lab recommended developers of these terminals ensure their “interactive shell” has no functions which could allow the OS menu to be called; and ensure the app itself is launched in a sandbox.
It also recommended that the OS be launched with restricted privileges, ensuring apps can’t be installed, and a unique account and password used for each device to make sure one attacker can’t access multiple devices from one machine.
A thin client set-up could also help protect these machines, the firm added.